Echoes From the Past on Encryption

President Obama’s recent comments calling for a public debate on encryption are, as Susan Landau recently pointed out, some much-needed straight talk about the issue. In Susan’s words, “the debate is not about perfect security versus privacy and civil liberties; it is about our society’s willingness to accept risk.” What’s striking about this debate is that it’s nearly 2 decades old. Here’s the words of Louis Freeh, then director of the FBI: “The looming spectre of the widespread use of robust, virtually uncrackable encryption is one of the most difficult problems confronting law enforcement. . . . At stake are some of our most valuable and reliable investigative techniques, and the public safety of our citizens. . . . Uncrackable encryption will allow drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity.” Director Freeh and others predicted disaster if the encryption problem was not solved, but their prediction was wrong. Even the horrific events of September 11, 2001 were the result of organizational failures in the U.S. government, and not because of encryption. But are things different today? It’s certainly true that the number of ways to communicate and store information electronically has gone up, and we are all more dependent on technology for our daily activities. And for everyone, there’s more awareness of security issues. But many things are the same, such as the unchanging reality that encryption can be used to conceal crime and terrorist activities and to protect against them. Another important but overlooked point is that criminals are not generally smarter than the rest of us. Most of us have forgotten our password and had to ask for help from our employer or our service provider. If I’m on my own to remember my password, I will make sure I have continuing access to it—which means I am likely to record it somewhere that I can still get it. If I can get it, so can law enforcement officials. Criminals forget their passwords too, and if they have not written them down somewhere, certain crimes will not happen because the would-be perpetrators will not be able to access the information needed to commit them. Remember also that copies of data often exist in places other than on personal devices, as people back up and synchronize their data across computers in several locations. Apple and Google have promised to deliver encryption that only their customers will be able to unlock. But some customers will soon demand that these vendors be able to unlock the encryption when they have forgotten or lost their keys. Thus, subsequent versions of Apple and Google products may well offer key recovery capabilities to customers, and law enforcement authorities will have access to those capabilities as well. Louis Freeh made just such an argument in 1997 when he noted that “rational thinking corporations will . . . insist on using key recovery encryption for electronically stored information.” When (as I predict) Apple and Google start to offer key recovery services to their customers, law enforcement authorities will have yet another path to pursue. Do new encryption capabilities pose problems for law enforcement? In some cases, they surely will, just as criminal investigations have surely been stymied by an inability to find evidence that was safely hidden in unknown safe deposit boxes. But our law enforcement agencies are dedicated, hardworking, and smart, and the evidence from the first round of the crypto wars suggests that they will be able to adapt a new technological environment without the difficulties of legislation interfering with the market-based decisions of the nation’s information technology companies.